CVE-2023-35845

Name of the Vulnerable Software and Affected Versions Anaconda 3 versions 2023.03-1-Linux Miniconda version not specified

Description The issue allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited.

Recommendations For Anaconda 3 version 2023.03-1-Linux, consider restricting write access to the cacert.pem file to prevent modification. For Miniconda, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling world-writable files in the Miniconda installation directory to minimize the risk of exploitation.